There is no greater act of intellectual heresy than to turn up to a computer show while questioning the need for that show even to exist, not to mention everything being promoted at it, but that is apparently what Bruce Schneier did at last week’s Infosecurity Europe show.

Do we need a security industry at all? Not really. So why do we have one? Because the IT industry is accidentally-deliberately wedded to poor security, and uses this fact to gently extort money from people to compensate for bad programming, and bad thinking.

"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure," he told a delighted journalist, no doubt perspiring from the lack of anything else even vaguely controversial to write about.

He’s been saying this for some time, and we’ve been saying we disagree with his solution to the problem of making software companies liable for bad code.

But in any case, the problem of security is not simply that it exists to solve the laziness and sloppiness of an entire industry (however apt that might be as a moral analysis) but that there are simply too many security “solutions” chasing too few fundamental problems, a disproportionate number of which afflict only a small part of IT, the client computer.

Security will always be necessary in the real world, but working out which bits present the best security is immensely difficult. There are too many technologies and designs that do similar things, all chasing the same confused customers. As time passes, the number of designs increases, and this tempts people to solve problems they don’t have, or over-engineer protection they probably won’t use. And e-crime continues to rise because, in any case, the biggest security problem – the one no amount of security will ever solve – is the human one.

Computers, like guns, don’t kill people, but they sure make it a hell of a lot easier to try.